Sony Pictures Lawsuit Highlights Breadth of Cybersecurity Breach Impact
In the latest of the hacking scandals, Sony Pictures Entertainment Inc. not only had its employees’ sensitive data splashed across the Internet, but it now is facing a class action lawsuit filed on behalf of current and former employees whose data was compromised. The lawsuit alleges that Sony Pictures knew about security vulnerabilities in its systems but chose to accept the risk. Its own IT department and general counsel had warned executives that its security measures could put the company at risk, but they did not heed the warnings. If executives weren’t paying attention to security strategy before, they are now.
Even if Sony is able to counter allegations that its security was inadequate by focusing on the characterization of the attack as an “unprecedented” event that no company could have prevented, as its hired security consultant has claimed, it is still left having to explain how an attacker was not only able to get in but was also able to access and exfiltrate such an incredibly wide range and volume of sensitive data. This may prove a much tougher hurdle to clear.
In today’s cyber threat environment, it is widely acknowledged that keeping sophisticated attackers out of your network is an unattainable objective. Yet companies still pour the bulk of their security budgets into perimeter defenses while neglecting the internal controls that can have a major effect on the ultimate impact of a breach event. In short, additionally to making it difficult for an attacker to get into your network in the first place, an equal if not greater attention must be given to making a successful attackers’ visit on your network a short, unpleasant and ultimately unproductive stay.
Sony’s lawyers will have their work cut out for them in trying to unravel the details of the attack and explain to litigants, regulators, shareholders and other interested parties not only how the breach occurred but how a single breach could have had such a devastating impact. The rest of us must learn from Sony’s plight and endeavor to enhance our internal security controls and evaluate the maturity of our critical data access management program to proactively reduce the potential impact of a similar breach event.